If all your ports are showing as closed instead of non-existent or stealth, that means you are also protected.
When you show outside that your ports are closed means that your system received signal from outside and responded that the ports are closed, so nothing happened.
The ideal situation is when your system simply discards any invasion tentative not showing its presence, therefore your system enjoys a ghost status, being invisible to others. You can change this situation by configuring your firewall to discard (just drop) invasion tentative without responding.

...and I hoped the times of direct internet access were history, through routers and the natural side effects of NAT (let's hope tethering takes care of that soon).

Back on topic, if packets to a port are dropped (no response at all) or rejected (there is a station, but no access) makes no difference in regards to security. The thought that dropping packets would make you invisible to the evil doers on the net, is flawed as soon as there's any open port existing or if the potential attacker knows you to be there.

Assuming you know what you're running - and open (== have a dæmon listening) only the ports you want to have open, there is no difference between running a firewall and not doing so. However a firewall can help you to identify misconfiguration on your part and may save you from new applications unexpectedly opening ports to the outside. Especially on netbooks/ notebooks, where random packages might get installed without further inspection, it might help to run a firewall - but this really is no solution and merely a bandaid.

However nothing substitutes strong passwords and for systems with direct internet connections, I suggest to only allow pubkey based authentification.

Just depending on the level of your knowledge, there are two main avenues to pursue to close port 22 which is as you also said on your post, the ssh port.

If you do not use it (ssh), just close it.

It can be done from the terminal by editing the iptable parameters or if you have installed some Firewall with GUI (Graphical User Interface) you can do it from the Firewall screen. As our good mentor and guru slh is saying above, actually using or not a firewall is exactly the same since the system loads the basic iptables at boot time, therefore the critical point is just having the correct iptable parameters loaded from start.

I do not have any of the usual firewall interfaces I use installed right now, to help you with a step by step, nevertheless I can tell you that both are easy to work with (Firestarter and Guarddog). Firestart is easier to setup and has an active icon on the tray showing when your system is hit by anyone. Firestarter has limited configuration parameters compared to Guarddog, so it is just a question of experimenting with both.

The best way is to get to know how to manipulate the iptables and do it direct from a terminal. All above information is not from any linux guru but just from a simple and modest linux user.